Search This Blog

Monday, July 15, 2013

Spoofing OBDII to pass emissions test

This is a bad idea, but I just wanted to get it out of my system.





Today I had to take my old Honda for a state emissions test.   The test consists of looking under your car with a mirror, and plugging in the OBDII for about 2 minutes.  They may have some sensors for the exhaust gases, but it's not obvious.   It's my understanding that they poll the OBDII for any error codes, and that is just about it.   I passed, but had to wait in line long enough to make me think subversive thoughts.

I was reminded of the work I did years ago building an OBDII reader.  But how hard would it be to make a spoofed OBDII device?   It seems like it would be pretty easy to disconnect the OBDII and put a micro-controller behind the OBDII connector to read back a clean bill of health.

The usual disclaimer, I would never do such a thing and I don't advocate any one else do it.  But as an intellectual exercise I thought I'd look into the feasibility.   I wonder if there are protections against this sort of thing?

There are no new ideas under the sun, so a little googling found some people thinking of the same thing:

http://forums.nasioc.com/forums/showthread.php?t=753331
http://grassrootsmotorsports.com/forum/grm/learn-me-obd-ii-emulation/58941/page1/
http://my.is/forums/f114/passing-obd2-emissions-standalone-339716/index5.html
http://forum.miata.net/vb/showthread.php?t=143853

Ease Diagnostics makes an OBD-II emulator - 
http://www.obd2.com/emissions/data/emissions_ver_test.htm
Used for testing the emissions testers.  They have this little box telling you why you can't use if for spoofing:

SECURITY FEATURES
To prevent the EASE OBD II Verification Tester from being substituted as a "clean" vehicle in an emissions inspection, we have built in the following security features.  
  • The controller ID is permanently set to $FD.  This value is not an acceptable controller ID.
  • The number of PIDs is always 32.  On an actual vehicle this would mean all the PIDS were supported.  This is not likely to happen. 
  • The AC Sys Refrig I/M Monitor is always Supported and Not Complete. No vehicle currently supports this I/M monitor. 

Looks like the OBDII has some vehicle information, rpm, etc.  All which would be easy to duplicate.  So the first step would be to read your present OBDII, clone the information, and write it back to the spoofer.

One of my raspberry PI's might be best, because it has lost of memory/disk for stored values and GPIO to write a bit banged serial interface, and you can connect a keyboard, display and mouse for the programming phase.   An arduino might be able to pull it off, but I suspect it would require two programs.  One to read and one to spoof.

This page has some info on what the emissions test is looking for
http://www.scangauge.com/tips-and-tricks/finding-incomplete-obdii-tests-using-the-scangauge-ii/

I'll put this idea on the shelf for now and see if I decide to build it later.

11 comments:

  1. i was going to use two elm327 interfaces one to connect to the car, and the other to replace the original obd connector. then just allow all data requests to pass through, except for the obd readyness status, and the mil on, if mil light on just clear it..

    ReplyDelete
    Replies
    1. Nice idea. That is basically how the old video cartridge game sharks worked. They sit in the middle and pass the information, and intercept any unwanted data and alter it. Better than spoofing the whole interface.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Hey Albert Skinner may I contact you else where?

      Delete
    4. You captured my thoughts exactly in these last two comments. Unbelievable!

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. One of my raspberry PI's might be best, because it has lost of memory/disk for stored values and GPIO to write a bit banged serial interface, and you can connect a keyboard, display and mouse for the programming phase. I like in this articles and I have a same blogs please logged in: http://scantoolcenter.com/obd2-scanners/innova-3160-diagnostic-scan-tool-review/

    ReplyDelete
  4. This sounds perfect for what I'm planning to do, but how would I get started on this?

    ReplyDelete
  5. I conduced emission testing via different obd ii scanners, including Autel, Launch and your standard Android apps like ScanMaster. Also used http://www.totalcardiagnostics.com/toad and stuck with it, as it was able to car tune the ECU chip, in addition to being reliable obd2 software.

    ReplyDelete
  6. The comments section was a blast from the ol’ past when I saw the term, “Game Sharks.” I forgot about those glorious devices for gamers who just didn’t want to spend the time to get to certain levels, etc.
    wireless obd2 scanner
    I know I’m way off topic here but I didn’t know there was a GameShark for the N64. Cool comparison between your emission spoofer and the GameShark.

    ReplyDelete
  7. Thank you There Is certainly a lot to learn about Suspendable Garbage Bag Dispenser, I really like all the points you've made.

    ReplyDelete